Preface
Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements should be imposed.
Let's look into what is actually required in modern security standards/frameworks.
| Standard | Mandatory Password Rotation | Minimum Password Length | Password Charset Restrictions |
|---|---|---|---|
| NIST SP 800-63B | No | 8 | None |
| PCI-DSS v4.0 | No* | 12 | ? |
| Microsoft | No | 14 | None |
| NIS 2 Directive | No | NA | None |
| (Danish) CFCS | No | 15 | None |
| (Canadian) Centre for Cyber Security | No | 12 | None |
NIST Special Publication 800-63B (2017)
TL;DR - 8 chars minimum length, no charset restrictions but ban dictionary/context-specific words, enforce rate-limits and no password hints.
Quotes:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
Payment Card Industry (PCI) - Data Security Standard (DSS) (2022)
TL;DR - 12 chars minimum length, charset should contain both numeric and alphabetic characters, enforce rate-limits.
Quotes:
Passwords/passphrases are changed at least once every 90 days, OR The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
Password policy recommendations for Microsoft 365 passwords (2023)
TL;DR - 14 chars minimum length, no charset restrictions but ban dictionary/context-specific words, enforce rate-limits and MFA.
Quotes:
Password expiration requirements do more harm than good
Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good.
Directive (EU) on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)
TL;DR - NIS 2 doesn't enforce password rotation, it just tell you to have a strategy for managing passwords.
Quotes:
Cyber hygiene policies comprising a common baseline set of practices, including software and hardware updates, password changes, the management of new installs, the limitation of administrator-level access accounts, and the backing-up of data
The Centre for Cyber Security (CFCS) - Passwordsikkerhed (2023)
TL;DR - 15 chars minimum length, no charset restrictions but ban dictionary words, enforce MFA and encourage password-manager usage..
Quotes (danish):
Undgå unødvendige komplicerede passwordregler - god længde. Lavere kompleksitet
Tvunget passwordskift skal benyttes, hvis der findes tegn på eller mistanke om kompromittering
Hvis der gennemtvinges periodisk ændring af passwordet, sammensætter brugere ofte et nyt, som er næsten identisk med det tidligere